F-Secure’s Countercept division is harnessing offensive techniques to develop better defenses

In the year since F-Secure completed its acquisition of MWR InfoSecurity, the Finnish cybersecurity services firm has expanded its threat hunting capabilities by adding red team (offensive) skills.

Joining the F-Secure fold as part of the acquisition was Countercept, a threat hunting service that brings together pentesting, attack simulation, and offensive security research to rival endpoint detection and response (EDR) services.

The Daily Swig recently caught up with Luke Jennings, chief research officer at F-Secure Countercept, who discussed how poachers can become gamekeepers, as well as other trends in the global cybersecurity services market.

MWR InfoSecurity has expertise in offensive research. How does that help when it comes to offering defensive services through F-Secure?

Luke Jennings: MWR’s history is in offensive security research and testing, before we expanded and developed defensive capabilities as well, and it’s been invaluable to us.

Defense is all about countermeasures to attacks, so if you don’t understand attacks well, you can’t develop effective countermeasures, nor can you evaluate how well your countermeasures are working in practice.

Most of the senior staff in defensive areas have a long history in offensive disciplines, which means they have a great skill set for it.

Additionally, our current offensive and defensive teams work collaboratively to help one another improve. Our targeted attack simulation teams gain insight on how their current techniques and future ideas stack up against current defensive strategies we employ, and our defensive teams gain insight on how our offensive team’s TTPs (tactics, techniques and procedures) are changing ahead of time.

During a recent presentation, you mentioned that MWR division is interested in research into anomaly detection and endpoint detection and response (EDR) bypass? Could you expand on this?

LJ: Our detection and response goal is to be effective at detecting sophisticated targeted attacks that have not necessarily been seen before. In this case, we expect them to not use any known indicators of compromise from previous attacks and to probably bypass many, if not all, generic detection rules.

Anomaly detection is a broad area that provides a lot of value in this space, as it can help find compromises purely due to observing something a bit strange or unusual occurring on a network. It's difficult to do well, but it's extremely powerful.

EDR is a powerful technical tool in a threat hunter's arsenal and has become much more prevalent in recent years. Since it has started causing attackers trouble, there is a lot more research going on in to methods of bypassing specific EDR tools, as well as the common implementation approaches used among many EDR vendors.

Since EDR is an important source of data for us, it is important for us to understand the implications and discover other possible bypasses so we can develop countermeasures for dealing with them.

In some cases, there may be specific ways to address them directly. In other cases, they might be more fundamental, meaning we cannot rely 100% on a particular source of data.

That, in turn, will generally lead to us to prioritizing other areas of detection research that can be used to detect the same techniques in other ways, so there are multiple layers of defense.

MWR’s research efforts have included developing a Python-based script to detect DoublePulsar, a leaked tool originally developed by the NSA. Current research efforts are focused on areas such as anomaly detection and EDR bypass. How does F-Secure’s MWR division go about prioritizing its research projects?

LJ: In the detection space, research is generally prioritized based on either changes in the threat landscape or currently identified areas of weakness. If we see attackers shifting their TTPs, then we need to combat that.

For example, many attackers began making heavy use of PowerShell some years ago. As PowerShell detection methods improved, we saw a shift away from that, particularly towards the use of .NET, and so we performed both public and private research in this space and adapted our technology and detection strategies accordingly.

On current areas of weakness, that’s often a cyclical process. For example, we might make a big push towards improving our capabilities for detecting code execution and memory resident implant techniques.

The end result is that we may re-evaluate and decide that, as a consequence, our lateral movement detection techniques are now not at the same level of sophistication as the techniques we have just improved, and so we may then decide to make a big push on lateral movement.

Sometimes, this may be incident-driven where we observe certain aspects of some compromises we deal with as having been either harder or more time-consuming to uncover than more familiar aspects.

On the other hand, it could be technology trend driven. For example, we have seen many of our customers moving towards increased use of major cloud services like Office365, Azure Active Directory, and Amazon AWS. That then creates an increased priority of detection research in these areas.

In the offensive space, the prioritization process is similar. Generally, either certain offensive techniques stop being as effective due to improvements in the defensive space, so new techniques need to be researched and adopted, or technology trends change meaning offensive techniques applicable to newer technologies become important.

Finally, how do you view the threat landscape? What’s the prevalence of attacks you come across that might be blamed on cybercriminals, versus those likely down to more advanced threat actors, for example nation states?

LJ: The majority of cyber-attacks are financially motivated and hit the news because of the disruption or destruction they cause.

Nation-state attacks generally carry a different objective – strategic footholds in target infrastructure, or stealthy exfiltration of data. As such, these are harder to uncover and when they are revealed, [they] carry less reportable impact.

That said, the potential impact can be many times worse if viewed over the longer term in support of geopolitical aims or in a time of conflict.

In order to make money, criminal attacks are noisy and disruptive, and this drives much of security agenda. Nation-state attacks less so, but can carry more impact down the line.

The lines are blurred when it comes to defending against the two. They can both employ similar techniques, so we typically defend our clients against both classes of actor.

RELATED AI developments likely to open new front in cyber conflict